[c-nsp] help on NAT rate limiting
Rodney Dunn
rodunn at cisco.com
Thu Dec 30 12:49:39 EST 2004
CSCsa51150
Externally found severe defect: New (N)
NAT translation not timing out correctly when a TCP session closes
Full text of defect
has been filed for this.
Rodney
> This appears to be the difference.
>
> When the RST/FIN comes in bofore the
> translation is timed out more aggressively
> even though the default timeout is still
> 24 hours.
>
> I'm checking to see why this change was done.
>
> So the default really didn't change for the global
> translation timeout.
>
> The aggressive timer when a close happens appears
> to have for some reason.
>
>
> I'll let you know what I figure out....
>
>
> In 12.2(12) if I have overload and a TCP
> session the timout looks like this after
> the session is closed:
>
> 101_#sh ip nat trans ver
> Pro Inside global Inside local Outside local Outside global
> tcp 3.3.3.1:11004 1.1.1.1:11004 3.3.3.2:23 3.3.3.2:23
> create 00:00:10, use 00:00:06, left 23:59:53, Map-Id(In): 1,
> flags:
> extended, use_count: 0
>
> Close the session:
>
> 101_#sh ip nat trans ver
> Pro Inside global Inside local Outside local Outside global
> tcp 3.3.3.1:11004 1.1.1.1:11004 3.3.3.2:23 3.3.3.2:23
> create 00:00:16, use 00:00:01, left 00:00:58, Map-Id(In): 1,
> flags:
> extended, timing-out, use_count: 0
> 101_#sh ver | incl IOS
> IOS (tm) Solaris Software (UNIX-JS-M), Version 12.2(12), RELEASE SOFTWARE (fc1)
> 101_#
>
> so it will age out in 1 minute.
>
>
> Now on 12.3(12):
>
> 101_#sh ip nat trans ver
> Pro Inside global Inside local Outside local Outside global
> tcp 3.3.3.1:11005 1.1.1.1:11005 3.3.3.2:23 3.3.3.2:23
> create 00:00:07, use 00:00:03, left 23:59:56, Map-Id(In): 1,
> flags:
> extended, use_count: 0
> 101_#!close the session
> 101_#sh ip nat trans ver
> Pro Inside global Inside local Outside local Outside global
> tcp 3.3.3.1:11005 1.1.1.1:11005 3.3.3.2:23 3.3.3.2:23
> create 00:00:16, use 00:00:06, left 23:59:53, Map-Id(In): 1,
> flags:
> extended, use_count: 0
>
> The translation will not time out for 24 hours even after the session
> is closed.
>
>
> On Wed, Dec 29, 2004 at 03:53:47PM -0500, Rodney Dunn wrote:
> > I missed that in the long response.
> >
> > Let me take a look and see what I
> > can find.
> >
> > Rodney
> >
> > On Wed, Dec 29, 2004 at 01:06:17PM -0700, james edwards wrote:
> > >
> > > ----- Original Message -----
> > > From: "Rodney Dunn" <rodunn at cisco.com>
> > > To: "Ted Mittelstaedt" <tedm at toybox.placo.com>
> > > Cc: <cisco-nsp at puck.nether.net>
> > > Sent: Wednesday, December 29, 2004 8:14 AM
> > > Subject: Re: [c-nsp] help on NAT rate limiting
> > >
> > >
> > > > 12.3 what. I need the exact version so
> > > > I can verify on some bugs that are listed.
> > > >
> > >
> > > Looks like 12.3.12 to me:
> > >
> > > The only other thing I can think might possibly be the explanation
> > > here is that there's a bug in IOS 12.3 where the translator is
> > > missing some of the tcp connection close commands. But, this is
> > > IOS 12.3.12 and I've had this same problem on earler 12.3 versions
> > > on a 1600 series at a different customer - I switched back to 12.1
> > > on that one. I find it hard to believe such a glaring bug (which
> > > basically makes nat useless in a default configuration) would not
> > > have been found after twelve iterations of IOS!!!
More information about the cisco-nsp
mailing list